Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSC 495/583 Topics of Software Security Heap Exploitation

Published byVerity Preston Modified over 6 years ago

Similar presentations

Presentation on theme: "CSC 495/583 Topics of Software Security Heap Exploitation"— Presentation transcript:

1 CSC 495/583 Topics of Software Security Heap Exploitation
Class11 CSC 495/583 Topics of Software Security Heap Exploitation Dr. Si Chen

2 Heap Overview Heap Exploitation Overview Heap Overflows Use After Free
Heap Spraying Metadata Corruption

3 It’s just another segment in runtime memory
The Heap 0x Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Heap Stack It’s just another segment in runtime memory 0xFFFFFFFF

4 Basics of Dynamic Memory
int main() { char * buffer = NULL; /* allocate a 0x100 byte buffer */ buffer = malloc(0x100); /* read input and print it */ fgets(stdin, buffer, 0x100); printf(“Hello %s!\n”, buffer); /* destroy our dynamically allocated buffer */ free(buffer); return 0; }

5 Heap vs Stack Heap Dynamic memory allocations at runtime
Objects, big buffers, structs, persistence, larger things Slower, Manual Done by the programmer malloc/calloc/recalloc/free new/delete Stack Fixed memory allocations known at compile time Local variables, return addresses, function args Fast, Automatic Done by the compiler Abstracts away any concept of allocating/de-allocating

6 Tons of different heap implementations
dlmalloc ptmalloc tcmalloc jemalloc nedmalloc Hoard Some applications even create their own heap implementations!

7 Sizes.c

8 Sizes.c How many bytes on the heap are your malloc chunks really taking up??

9 unsigned int * buffer = NULL; buffer = malloc(0x100);
Heap Chunks unsigned int * buffer = NULL; buffer = malloc(0x100); //Out comes a heap chunk Heap Chunk Previous Chunk Size (4 bytes) Chunk Size (4 bytes) Data (8 + (n / 8)*8 bytes) Flags *(buffer-2) *(buffer-1) *buffer

10 Heap Chunk Previous Chunk Size Chunk Size Heap Chunks
Size of previous chunk (if prev chunk is free) Chunk Size Size of entire chunk including overhead Heap Chunk Previous Chunk Size (4 bytes) Chunk Size (4 bytes) Data (8 + (n / 8)*8 bytes) Flags *(buffer-2) *(buffer-1) *buffer

11 Heap Chunk Data Heap Chunks
– Your newly allocated memory / ptr returned by malloc Heap Chunk Previous Chunk Size (4 bytes) Chunk Size (4 bytes) Data (8 + (n / 8)*8 bytes) Flags *(buffer-2) *(buffer-1) *buffer

12 Heap Chunk Flags Heap Chunks
– Because of byte alignment, the lower 3 bits of the chunk size field would always be zero. Instead they are used for flag bits. 0x01 PREV_INUSE – set when previous chunk is in use 0x02 IS_MMAPPED – set if chunk was obtained with mmap() 0x04 NON_MAIN_ARENA – set if chunk belongs to a thread arena Heap Chunk Previous Chunk Size (4 bytes) Chunk Size (4 bytes) Data (8 + (n / 8)*8 bytes) Flags *(buffer-2) *(buffer-1) *buffer

13 Pseudo Memory Map Runtime Memory Runtime Memory MBE - 04/07/2015 1313
0x – Start of memory 0x – Start of memory Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Heap Stack Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Heap Stack 0x – Start of .text Segment 0x – Start of .text Segment 0xb7ff0000 – Top of heap 0xbfff0000 – Top of stack 0xFFFFFFFF – End of memory MBE - 04/07/2015 Heap Exploitation 1313

14 Heap Allocations Runtime Memory Heap Segment 0x00000000
Libraries (libc) ELF Executable .text segment .data segment Heap Stack Heap Segment > Grows towards higher memory Previous Chunk Size Chunk Size Data 0xFFFFFFFF

15 Heap Allocations Runtime Memory Heap Segment 0x00000000
Libraries (libc) ELF Executable .text segment .data segment Heap Stack Heap Segment > Grows towards higher memory Previous Chunk Size Chunk Size Data 0xFFFFFFFF

16 Heap Allocations Runtime Memory Heap Segment 0x00000000
Libraries (libc) ELF Executable .text segment .data segment Heap Stack Heap Segment > Grows towards higher memory Previous Chunk Size Chunk Size Data 0xFFFFFFFF

17 Heap grows DOWN towards higher memory
Segment Growth Heap grows DOWN towards higher memory Heap Segment higher memory Grows towards > Stack grows UP towards lower memory Grows towards lower memory < Stack Segment

18 Segment Growth Runtime Memory Libraries (libc) ELF Executable
.text segment .data segment Heap Stack Heap Segment higher memory Grows towards > Grows towards lower memory < 0xFFFFFFFF Stack Segment

19 Heap grows DOWN towards higher memory
Segment Growth Heap grows DOWN towards higher memory Heap Segment higher memory Grows towards > Stack grows UP towards lower memory Any ideas why? – Probably historical reasons, gave low memory systems more room to fluctuate Grows towards lower memory < Stack Segment

20 Heap chunks exist in two states
Heap Chunks – In Use Heap chunks exist in two states in use (malloc’d) free’d Heap Chunk Previous Chunk Size (4 bytes) Chunk Size (4 bytes) Data (8 + (n / 8)*8 bytes) Flags *(buffer-2) *(buffer-1) *buffer

21 free(buffer); Heap Chunk (freed) Forward Pointer Backwards Pointer
Heap Chunks – Freed free(buffer); Forward Pointer A pointer to the next freed chunk Backwards Pointer A pointer to the previous freed chunk Heap Chunk (freed) Previous Chunk Size (4 bytes) Chunk Size (4 bytes) FD (4 bytes) BK (4 bytes) Flags *(buffer-2) *(buffer-1) *buffer *(buffer+1)

22 From Glibc 2.7.0 Source (malloc.c)

23 Heap Overview Heap Exploitation Overview Heap Overflows Use After Free
Heap Spraying Metadata Corruption

24 Heap Overflows Runtime Memory Heap Segment 0x00000000 Libraries (libc)
ELF Executable .text segment .data segment Heap Stack Heap Segment > Grows towards higher memory Previous Chunk Size Chunk Size Data 0xFFFFFFFF

25 Heap Overflows Buffer overflows are basically the same on the heap as they are on the stack 0x Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Heap Stack Heap Segment > Grows towards higher memory Previous Chunk Size Chunk Size AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA heap overflow Data Previous Chunk Size Chunk Size Data 0xFFFFFFFF

26 Heap Overflows In the real world, lots of cool and complex things like objects/structs end up on the heap Anything that handles the data you just corrupted is now viable attack surface in the application It’s common to put function pointers in structs which generally are malloc’d on the heap Overwrite a function pointer on the heap, and force a codepath to call that object’s function!

27 Use After Free Use After Free (UAF)
A class of vulnerability where data on the heap is freed, but a leftover reference or ‘dangling pointer’ is used by the code as if the data were still valid Most popular in Web Browsers, complex programs Also known as UAF

28 Use After Free (UAF) Runtime Memory Heap Segment 0x00000000
Libraries (libc) ELF Executable .text segment .data segment Heap Stack Heap Segment > Grows towards higher memory Previous Chunk Size Chunk Size Data pointer 0xFFFFFFFF

29 Use After Free (UAF) free()’d Runtime Memory Heap Segment 0x00000000
Libraries (libc) ELF Executable .text segment .data segment Heap Stack Heap Segment > Grows towards higher memory Previous Chunk Size Chunk Size Data pointer free()’d 0xFFFFFFFF

30 Use After Free (UAF) free()’d free()’d Runtime Memory Heap Segment
0x Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Heap Stack Heap Segment > Grows towards higher memory Previous Chunk Size Chunk Size Data free()’d ??? free()’d 0xFFFFFFFF

31 Use After Free (UAF) Runtime Memory Heap Segment 0x00000000
Libraries (libc) ELF Executable .text segment .data segment Heap Stack Heap Segment > Grows towards higher memory Previous Chunk Size Chunk Size Data pointer dangling 0xFFFFFFFF

32 Use After Free (UAF) Dangling Pointer A left over pointer in your code that references free’d data and is prone to be re-used As the memory it’s pointing at was freed, there’s no guarantees on what data is there now Also known as stale pointer, wild pointer

33 Use After Free (UAF) Runtime Memory Heap Segment 0x00000000
Libraries (libc) ELF Executable .text segment .data segment Heap Stack Heap Segment > Grows towards higher memory Previous Chunk Size Chunk Size Data pointer dangling 0xFFFFFFFF

34 Use After Free (UAF) Runtime Memory Heap Segment Libraries (libc)
ELF Executable .text segment .data segment Heap Stack Heap Segment > Grows towards higher memory Previous Chunk Size Chunk Size Data Previous Chunk Size malloc() Chunk Size pointer Newly allocated data 0xFFFFFFFF dangling

35 Use After Free (UAF) Runtime Memory Heap Segment Libraries (libc)
ELF Executable .text segment .data segment Heap Stack Heap Segment > Grows towards higher memory Previous Chunk Size Chunk Size Data Previous Chunk Size malloc() fgets() ... Chunk Size AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA pointer dangling

36 Use After Free (UAF) To exploit a UAF, you usually have to allocate a different type of object over the one you just freed struct toystr { void (* message)(char *); char buffer[20]; }; struct person { int favorite_num; int age; char name[16]; };

37 Use After Free You actually don’t need any form of memory corruption to leverage a use after free It’s simply an implementation issue – pointer mismanagement

38 Heap Spraying Heap Spraying
A technique used to increase exploit reliability, by filling the heap with large chunks of data relevant to the exploit you’re trying to land It can assist with bypassing ASLR A heap spray is not a vulnerability or security flaw

39 Heap Spray in Action Runtime Memory filler = “AAAAAAAAAAAAA...”;
0x – Start of memory 0x – .text Segment in ELF 0x – Top of heap filler = “AAAAAAAAAAAAA...”; for(i = 0; i < 3000; i++) { temp = malloc( ); memcpy(temp, filler, ); } Runtime Memory Libraries (libc) ELF Executable Heap Stack 0xbfff0000 – Top of stack 0xFFFFFFFF – End of memory

40 Heap Spray in Action Runtime Memory filler = “AAAAAAAAAAAAA...”;
0x – Start of memory 0x – .text Segment in ELF 0x – Top of heap filler = “AAAAAAAAAAAAA...”; for(i = 0; i < 3000; i++) { temp = malloc( ); memcpy(temp, filler, ); } 0xbbe09e00 – bottom of heap 0xbfff0000 – Top of stack 0xFFFFFFFF – End of memory Runtime Memory Libraries (libc) ELF Executable Heap AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA Stack 3GB of AAAAAAAAA’s

41 Heap Spraying in the Wild
Generally found in browser exploits, rare in CTF and wargames but still something you should be aware of Usually heap sprays are done in something like javascript placed on a malicious html page memory = new Array(); for(i = 0; i < 0x100; i++) memory[i] = ROPNOP + ROP;

42 On 32bit systems your address space is at maximum 4GB (232 bytes)
Heap Spraying on 32bit On 32bit systems your address space is at maximum 4GB (232 bytes) Spray 3GB of A’s onto the heap? – Note: It’s unlikely you would ever need to spray 3GB of anything as heap locations can be somewhat predictable, even with ASLR

43 On 64bit heap spraying can’t really be used to bypass ASLR
Heap Spraying on 64bit On 64bit heap spraying can’t really be used to bypass ASLR – Good luck spraying anywhere near 264 bytes (spoiler: that’s ~ terabytes) Targeted sprays are still useful in scenarios that you have a partial heap ptr overwrite or need to do some heap grooming

44 Heap Spray Payloads Pretty common to spray some critical value for your exploit, fake objects, or ROP chains

45 Q & A

Download ppt "CSC 495/583 Topics of Software Security Heap Exploitation"

Similar presentations

Dynamic Memory Management

Dynamic Memory Management
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Lecture 10: Heap Management CS 540 GMU Spring 2009.

Lecture 10: Heap Management CS 540 GMU Spring 2009.
User-Level Memory Management in Linux Programming

User-Level Memory Management in Linux Programming
Week 7 - Friday.  What did we talk about last time?  Allocating 2D arrays.

Week 7 - Friday.  What did we talk about last time?  Allocating 2D arrays.
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.

DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
Security & Exploitation

Security & Exploitation
Stacks and HeapsCS-3013 A-term 20081 A Short Digression on Stacks and Heaps CS-3013 Operating Systems A-term 2008 (Slides include materials from Modern.

Stacks and HeapsCS-3013 A-term A Short Digression on Stacks and Heaps CS-3013 Operating Systems A-term 2008 (Slides include materials from Modern.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
Digression on Stack and Heaps CS-502 (EMC) Fall 20091 A Short Digression on Stacks and Heaps CS-502, Operating Systems Fall 2009 (EMC) (Slides include.

Digression on Stack and Heaps CS-502 (EMC) Fall A Short Digression on Stacks and Heaps CS-502, Operating Systems Fall 2009 (EMC) (Slides include.
Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.

Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.
Stacks and HeapsCS-502 Fall 20071 A Short Digression Stacks and Heaps CS-502, Operating Systems Fall 2007 (Slides include materials from Operating System.

Stacks and HeapsCS-502 Fall A Short Digression Stacks and Heaps CS-502, Operating Systems Fall 2007 (Slides include materials from Operating System.
Software bugs (and security implications). Software security Code can have perfect design and algorithm, but still have implementation vulnerabilities.

Software bugs (and security implications). Software security Code can have perfect design and algorithm, but still have implementation vulnerabilities.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Pointers and Arrays Beyond Chapter 16. 16-2 Pointers and Arrays What are the real differences? Pointer Holds the address of a variable Can be pointed.

Pointers and Arrays Beyond Chapter Pointers and Arrays What are the real differences? Pointer Holds the address of a variable Can be pointed.
Week 9 Part 1 Kyle Dewey. Overview Dynamic allocation continued Heap versus stack Memory-related bugs Exam #2.

Week 9 Part 1 Kyle Dewey. Overview Dynamic allocation continued Heap versus stack Memory-related bugs Exam #2.
University of Washington Today Finished up virtual memory On to memory allocation Lab 3 grades up HW 4 up later today. Lab 5 out (this afternoon): time.

University of Washington Today Finished up virtual memory On to memory allocation Lab 3 grades up HW 4 up later today. Lab 5 out (this afternoon): time.
1 Dynamic Memory Allocation –The need –malloc/free –Memory Leaks –Dangling Pointers and Garbage Collection Today’s Material.

1 Dynamic Memory Allocation –The need –malloc/free –Memory Leaks –Dangling Pointers and Garbage Collection Today’s Material.
Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014,

Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014,

Similar presentations

Ads by Google